Anthem 2015 Data Breach Update

The team at Securolytics is diligently monitoring and analyzing the trends and news surrounding Healthcare industry cyber attacks to better serve our clients. It was a year ago that we analyzed in depth the Excellus Breach.

This week we have an important and controversial update on the massive 2015 Anthem data breach which affected 80 million people. Those suing Anthem are seeking Security Audit Documents. We think this is a crucial juncture in the Anthem cyber case. We want our clients to be informed. Here is some of the report-

“An 827-page document recently filed in U.S. district court in Washington by attorneys representing the plaintiffs in the consolidated class action lawsuit against Anthem seeks a court order compelling OPM to produce “a small number of documents” that OPM has identified as relating to a 2013 security audit and a 2015 “follow-on audit” of the insurer’s information systems.

“Plaintiffs suing Anthem Inc. in the wake of a cyber attack that exposed information on nearly 80 million individuals in 2015 want a court to open the door to revealing more of the results of audits of the insurer conducted by the U.S. Office of Personnel Management.”

“OPM’s Office of Inspector General performs a variety of audits on health insurers – including Anthem – that provide health plans to federal employees under the Federal Employee Health Benefits Program. The court filing notes that among those affected by the Anthem breach were “millions” of federal employees enrolled in health insurance offered by Anthem affiliates through FEHBP, which is administered by OPM.”

The court filing notes that the OPM audit documents pertaining to Anthem, formerly known as Wellpoint, likely contain highly “probative information” related to:

  • The state of IT security at WellPoint/Anthem at the time of the 2013 audit and 2015 follow-on audit;
  • The insurer’s knowledge of IT security vulnerabilities;
  • Whether the company failed to undertake measures to appropriately monitor and secure personal information;
  • What actions the insurer took to circumvent OPM’s efforts to conduct IT security audits;

Such information will assist the plaintiffs in proving their claims against Anthem and other defendants in the breach lawsuit, the filing claims.

About 100 lawsuits against Anthem have been consolidated into one federal class-action case in a California, in which plaintiffs, among other things, are seeking actual and statutory damages and restitution.”

Audit Requests

Anthem in 2013 refused to allow OMP OIG auditors to conduct a vulnerability test as part of a full security audit of the insurer’s systems. OPM had noted that Anthem said its corporate policy prohibited external entities from connecting to the Anthem network. The insurer did, however, allow the watchdog agency to conduct an information system’s general and application control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem, “has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that [Anthem] has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees,” according to the OIG audit report released in September 2013.

After Anthem revealed the cyber attack in February 2015, OPM OIG requested to conduct a follow-up audit of the health plan’s security in the summer of 2015, but the watchdog agency was again met with resistance. OPM OIG, in a March 2015 statement provided to Information Security Media Group, said Anthem had again refused to allow the agency to perform “standard vulnerability scans and configuration compliance tests” (see Anthem Refuses Full Security Audit).

However, an OPM OIG spokeswoman on Nov. 3 told ISMG that OPM OIG did indeed conduct a narrow security audit on Anthem in 2015, following the breach. “In 2015 we went back to Anthem to conduct a limited-scope security audit where we performed additional testing. A limited-scope audit is where we intentionally look at only certain items. A scope limitation means that we were unable to conduct all work we intended,” she says. “We cannot provide any additional comments due to pending litigation.”

The plaintiffs’ motion seeks a subpoena for the documents related to the 2015 OPM audit. The court filing also does not indicate the extent of the watchdog agency’s 2015 review.

“Plaintiffs’ counsel has been informed by the Department of Justice that OPM did conduct a 2015 follow-on audit and that a 2015 draft audit report was provided by OPM to Anthem in the spring of 2016. The 2015 draft audit report is not privileged and plaintiffs’ counsel are currently seeking production of the 2015 draft audit report from Anthem,” the plaintiff’s motion states.”

Privileged Information?

“Although OPM has provided about 150 pages of various audit documents to the plaintiffs, the court filing noted that OPM was “withholding documents for which it asserted privilege and not merely because documents contained confidential information.”

The plaintiffs’ attorneys, argue, however, that their clients “need for the documents and the compelling interest of millions of Federal Employee Class members and 80 million affected persons is sufficient to overcome the minimal, if any, potential for harm to OPM in light of the protections already in place for the handling and use of such documents.”

As an alternative to OPM segregating and releasing to the plaintiffs the requested documentation related to the IT security audits of Anthem, the plaintiffs ask that OPM should instead submit the documents to the court for review, which would permit a judge to determine whether the documents should be allowed in open court.”

Read in entirety here-

Contact Securolytics now to learn more. Our global team is ready to assist you. We are all motivated by one overriding purpose- to keep organizations and businesses out of harm’s way from cyber criminals and sophisticated hackers.

Share/Follow Us:

Leave a Reply

Your email address will not be published. Required fields are marked *